Hi Florence, I had examinate the logs on the tomcat. Seem to be have issue. Do you think that the command
ipactl --ignore-service-failures start Should it solve the problem? or I need to investigate the logs? Thanks and regards, AM On Thu, 24 Feb 2022 at 08:23, Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > so there are at least 2 issues to fix: > - kinit admin fails > - pki-tomcatd service and ipa-otpd service are stopped. > > For the first issue, can you run: > # KRB5_TRACE=/dev/stderr kinit admin > This will print more details (if DNS resolution is used etc...) > > For the 2nd issue, you need to have a look at the logs in > /var/log/pki/pki-tomcat/, and check for errors with > # systemctl status pki-tomcatd@pki-tomcat > and in the journal: > # journalctl -u pki-tomcatd@pki-tomcat > > flo > > On Wed, Feb 23, 2022 at 10:35 AM Alessandro Minonzio < > [email protected]> wrote: > >> Hi Florence, >> >> thanks for the support report the status of FreeIPA: >> >> [root@adv ~]# ipactl status >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> httpd Service: RUNNING >> ipa-custodia Service: RUNNING >> ntpd Service: RUNNING >> pki-tomcatd Service: STOPPED >> ipa-otpd Service: STOPPED >> ipa: INFO: The ipactl command was successful >> >> pki-tomcatd and ipa otpd seem to be stopped. >> >> >> >> >> On Wed, 23 Feb 2022 at 10:00, Florence Blanc-Renaud <[email protected]> >> wrote: >> >>> Hi, >>> are all the IPA services up and running on the replica (the kinit error >>> suggests that either krb5.conf is badly configured or the kerberos server >>> isn't running on the replica)? >>> Please report the output of "ipactl status". >>> >>> flo >>> >>> On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> I report this issue about FreeIPA server: >>>> >>>> >>>> ------------------------------------------------------------------------------------------------------------------ >>>> >>>> Request for enhancement >>>> >>>> A strange error is occurring when I try to access my FreeIPA. >>>> Issue >>>> >>>> The problem occurs when I try to access the FreeIPA portal. >>>> >>>> "The message occurs saying IPA Error 4301: CertificateOperationError" >>>> "Certificate operation cannot be completed: Unable to communicate with >>>> CMS (500)" >>>> >>>> in Certificate Authority appear: >>>> >>>> "cannot connect to 'https://xyz.xxxxxhq.it:443/ca/rest/account/login': >>>> <https://xyz.xxxxxhq.it/ca/rest/account/login':> [SSL: >>>> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)" >>>> >>>> and if I try to connect with KINIT ADMIN command on the console appear >>>> this error: >>>> >>>> "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting >>>> initial credentials" >>>> Actual behavior >>>> >>>> Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too. >>>> Version/Release/Distribution >>>> >>>> package freeipa-server is not installed >>>> package freeipa-client is not installed >>>> ipa-server-4.6.5-11.el7.centos.3.x86_64 >>>> ipa-client-4.6.5-11.el7.centos.3.x86_64 >>>> 389-ds-base-1.3.9.1-12.el7_7.x86_64 >>>> pki-ca-10.5.16-5.el7_7.noarch >>>> krb5-server-1.15.1-37.el7_7.2.x86_64 >>>> Additional info: >>>> >>>> maybe it's a problem with CA but how is the process to solve that >>>> issue? The fact is that this behavior it's on a replica FreeIPA server with >>>> CA and DOMAIN. There is a resolution or a command to solve that? >>>> >>>> >>>> ------------------------------------------------------------------------------------------------------------------ >>>> >>>> could you help me please? >>>> >>>> Best regards, >>>> >>>> AM >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >>>> >>>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
